When you just run a blog, and only update it on occasion, then you don’t need to think too much about security. After all, the potential repercussions of an attack are going to be mild (you might lose access, or have an account disabled), and then there’s the unlikelihood of anyone attacking it in the first place. Hackers pursue valuable targets, so unless there’s someone with a vendetta against you, your blog site is probably fine.
But the e-Commerce world is different. Even if you only run a modest e-Commerce site with fairly low revenue, it’s still an appealing target to criminals — they can take control and redirect the revenue, or (more likely) just take the customer details and sell them to sketchy marketers. And if ecommerce is your primary source of income, then it’s mission-critical that you take steps to secure your store against attack.
So how do you do it? Well, if you’re running a WooCommerce store, then you can’t rely on your host to do everything for you — but it’s a great platform, so it shouldn’t be too complicated to secure it yourself. Run through these 5 steps, and you should end up in a fairly solid position:
1. Limit admin access
E-Commerce can be a solo operation, but as it scales, it must morph into a more conventional business arrangement with employees and management. At various points (and for various reasons) it will be necessary to share admin access — allowing selected employees to go directly into the admin panel — and this requires trust.
Now, if you’ve studied the many guides and walkthroughs that litter the online world, you may have noticed that basic organizational elements like this aren’t covered in the typical e-Commerce blueprint. This is because they’re mostly generic — every business owner must be careful with trusting people, after all. But there perhaps should be some mention of the risks involved with admin access: while it’s noisy and risky to smash up a physical office, it’s easy to access the back-end of a CMS and leave it seriously damaged.
Because of this, you should be even more selective when sharing admin access than you would with sharing an office key. You might be somewhat sure that someone is trustworthy, but you never know when they might get disgruntled for whatever reason and decide to cause some damage before quitting. So vet people thoroughly, ensure there’s absolute trust, and remember that you can revoke admin access if it’s no longer justified.
2. Install a security plugin
What does a security plugin do for an e-Commerce site? Well, it secures transactions and bolsters shopper confidence. Sharing card details online is still dangerous, even today, and you don’t want to risk your site payments being redirected or altered in any way. It’s absolutely essential in e-Commerce to earn trust ASAP, and installing a security-boosting plugin shows customers that their security is your priority at the same time as demonstrating trustworthiness
Perhaps the defining feature of WordPress is its immense flexibility, so there’s no shortage of security plugins available for WooCommerce users: here’s just one selection. If you’re running on a different CMS, then check whichever app, plugin or extension store is available to you and you’ll surely find some good options.
You should also be careful about the payment gateways you use. There are plenty that offer favourables rates but likely can’t offer the same kind of security that their more established rivals can. Even if costs more, stick with gateways you can trust, and be sure to review them every few months to keep track of changes — just as the design of your website warrants ongoing investment, so too does your security.
3. Avoid plugin conflicts
Plugins are astoundingly useful for your website (here’s just a sample of WordPress plugins for the Divi theme), and there’s nothing inherently wrong with having a large selection installed — but you do need to be aware of two risks that come with using so many simultaneously.
Firstly, plugins are updated and patched at different rates. Some will be updated every few days, while others will get updated only when their developers feel like it. Since many plugins have extensive admin access, you can end up with a secure system being made vulnerable through running an insecure plugin.
Secondly, the more plugins you have interacting, the less stable your website will get. If you have enough plugins not designed to run together, you might find that features stop working — and this can even affect your security.
Thirdly, remove any outdated plugins or at least make sure the code is safe. An outdated plugin doesn’t always need it is unsafe but if you do not know the code, it is best to remove and find a replacement
Consequently, you should do two things: get rid of any plugins that don’t trust justify their use, and aim to use plugins from trusted developers (if you use multiple plugins from the same developer, you can be confident they won’t cause conflicts).
4. Switch to secure passwords
It’s likely that the importance of using secure passwords is stressed so forcefully and so frequently that it proves counterintuitive — we read advice about passwords all the time, so we either start to think that we’ve already taken action, or we keep putting it off on the basis that we’ll surely get to it soon enough.
But it truly is immensely important. Brute-force attacks can crack your website wide-open if you settle for “password123” or the name of your first pet. You might as well leave your front door unlocked. It doesn’t help that there’s conflicting advice to be found about what constitutes a secure password, with some thinking that more characters are always better (not necessarily).
If you use a password manager like LastPass, then you can simply auto-generate some suitable passwords and keep track of them, but even then you’ll need a solid password for that system. Try the hyphen method: come up with three words you’ll remember, and hyphenate them. For instance, cabbage-underpass-sandstone is an excellent password (don’t use that specifically!).
5. Ensure your host is trustworthy
Having a great website host won’t prevent you from making basic security mistakes, but it will help you in two other major ways: firstly, it will minimize the likelihood of your store being made vulnerable through a hosting hack, and secondly, it will help you recover in the event of a site hack. The better your relationship with your host, the easier it will be to reach out to them and have them help you get back up and running.
Since you’re running on WooCommerce, you have a fantastic choice of hosts (many specializing in WordPress sites), so don’t just settle for the one you’re currently using out of convenience. Take a look at what’s out there. Compare rates and performance guarantees. Read reviews from credible sources.
Should you move to a different host? That really depends on how highly you rate your current host. If you get regular updates and speedy communication, then stick with it. If you’re not that confident, and you’re not irrevocably attached to your host, then round up the most viable alternatives and pick something better.